Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

theweatherelectric writes "As noted by the Mozilla Blog, the AP News Registry is the first large scale service to support the Do Not Track (DNT) feature of Firefox 4 and Internet Explorer 9. They write, 'The Associated Press (AP) is the first company to deploy DNT on a large scale, and it only took a few hours for one engineer to implement. The AP News Registry tracks 1 billion impressions of news content, with 175 million unique visitors per month, and has membership with more than 800 sites. When consumers send a DNT preference via the browser while viewing a story at one of its publisher's sites, the AP News Registry no longer sets any cookies. The previous solution was for users to opt-out via a link to a central opt-out page referenced in each participating news site's privacy policy. They still count the total number of impressions for each news story, but aggregate consumer data for those with DNT in a non-identifiable way.'"

"but aggregate consumer data for those with DNT in a non-identifiable way.'"

hmm. Haven't we had many stories about how "non-identifiable" is still identifiable in some cases? It sounds like "Do Not Track" may mean actually "Might track less". As with all voluntary things though, the implementation is completely up to the company implementing it. There's no reason for them to do anything different. I might think it would even allow another layer of tracking since if you have "DNT" on then all that means is yet another flag could be used as a unique identifier, and now they can infer that you're tech savvy and paranoid enough to flip that flag.. What is the point of this again?

You visit site, the server checks your DNT flag before sending a cookie...and then what?

I'm guess the server records GameBoyRMH visited site xyz.com, but no cookie was set. And whenever you visit one of those 800 sites, they know it's you, because they have to check for your DNT flag.

So you've preserved the 100-or-so bytes the cookie would take on your drive, but how is that not tracking?

It seems to me a real DNT track system would be client-side only, and the setting would instruct the browser to accept and instantly (or after the session) delete the cookie, without giving any indication of the activity to the server.

They would store "someone visited page X at date Y and time Z" and they may also be able to store "and they were referred in from page ABC", but they would have no way of seeing where you went from that page, even if it was to another page on the site, because all that page is going to store is the same non-identifiable information.

A cookie allows them to give you a unique identifier, which works for differentiation down to individual browsers on the same machine, and that allows them to get a good picture of your travel around their site (and their affiliate sites etc) - the DNT flag would remove that, only allowing them to track the number of hits on a page and where the visitor came from.

They don't know its "you" each time, because the DNT flag contains no identifiable information - to them, this is the equivilent of you clearing out your cookies after each individual page visit. No cookie, no ID, no tracking beyond the current page. Same deal.

They would store "someone visited page X at date Y and time Z" and they may also be able to store "and they were referred in from page ABC", but they would have no way of seeing where you went from that page, even if it was to another page on the site, because all that page is going to store is the same non-identifiable information.

A cookie allows them to give you a unique identifier, which works for differentiation down to individual browsers on the same machine, and that allows them to get a good picture

Until you can come up with a magical way for the browser and server to be in contact but for the server to never know anything about the client, then you are going to have to trust the server to some extent.

In the context of Non-Tracking, the normal logic behind session cookies is not good enough. I'll leave it to my betters to show the proof, but "tracking" is a data-inbound event, so even if that session cookie becomes invalid later, a company sufficiently motivated to make a big show of "Do Not Track" while simultaneously getting trackable inbound info can do it, but it wouldn't all be stored in the cookie, it would be the cookie + other steps.

All those cookies you listed have already expired. Just look at the timestamps, it's right there.

If someone wanted to track you badly enough to do the things you're suggesting, they would simply ignore the DNT flag.

Something I suspect a lot of the folks on/. struggle with, as I do myself, is accepting the axiom that perfect is the enemy of good. DNT isn't remotely perfect, but that isn't the same as not being a good thing.

The really funny part is this makes you even more identifiable since so few will opt in. it is like that site that checks how identifiable you are by what your browser sends back (so sorry I can't think of the site, maybe someone has it bookmarked?) and with ABP and NoScript there were less than 8000 with my particular string which is a pretty small niche out of the billions of web users, but with ABP and NoScript turned off I was one of 1,2 million with the same string so it was like trying to find a part

Elsewhere I took a strongly worded stand vs a well meaning AC about session cookies, and "left it to my betters to work out the details". You provided one - the mere (rare) existence of the bit set to on itself.

I know about the Panopticlick method, but that felt "too easy" - so let's work on sneakier tricks. Using the principle of the 20-Questions Narrowing Down theme, can they narrow it down to "you" say within four page clicks? Sure, the homepage might not be enough, but there could be 10 ways o

Nope sorry, read it right. You see without ABP and NoScript (the only two extensions I had at the time) I was just a bog standard Firefox on a bog standard XP Home with the bog standard Flash and WMV plugins. That made me a needle in a needle factory simply due to the huge installed base of FF, XP Home, and Flash/WMV. There simply aren't that many using what I was using at the time PLUS ABP PLUS NoScript, which made me a MUCH easier target to find.

I am running FF 4 in MacOS X (madness, I know) and with Adblock and NoScript activated I have the same fingerprint as 1 in 53,152 browsers. If I use it with NoScript deactivated my browser finger print makes it unique, so I can be identified among all 1.4 million people that used Panopticlick. It's true MacOS X is not as common as Windows XP, but for me activating NoScript helps my privacy (I become 1 out of 30 instead of a specific one).

It seems to me a real DNT track system would be client-side only, and the setting would instruct the browser to accept and instantly (or after the session) delete the cookie, without giving any indication of the activity to the server.

That's basically what Cookiesafe [mozilla.org] and Cookie Monster" [mozilla.org] do. Firefox's default cookie manager does it a bit more clumsily, and is missing the option to allow a site to leave cookies for just the current session, not future sessions. Your only choices are always deny, allow pers

I already have a do-not-track. It's called adblock. It's not perfect and it isn't a certainty that I can't be tracked by advertisers and others (in fact, it's a certainty that I can be, I'm sure). At least I can avoid ads and a significant portion of tracking, though.

Way ahead of you. I use NoScript, Flashblock and Betterprivacy (ads that don't use Flash or JS still work fine, so I support the sites I browse). But unlike us, the Average Joe doesn't know how to defend himself, and it's sort of unreasonable to expect someone to know which scripts should be allowed and which shouldn't.

I already have a do-not-track. It's called adblock. It's not perfect and it isn't a certainty that I can't be tracked by advertisers and others (in fact, it's a certainty that I can be, I'm sure). At least I can avoid ads and a significant portion of tracking, though.

Adblock is a really good partial solution. Not only does it make you more difficult to track (since much of that is done by ad networks) but it also speeds up browsing and removes the more obnoxious ads. What you said makes me think of this line from the summary:

The previous solution was for users to opt-out via a link to a central opt-out page referenced in each participating news site's privacy policy.

That's the previous non-solution. Implicit in this idea is the notion that we're completely at the mer

Great! I can't wait for the NSA to follow suit and respect the "Do Not Track," option in FF4. Then we will know with all certainty that Hell has frozen over, we will be able to opt out of TSA ball-groping by using flying pigs for transportation instead of planes, that girl I had a crush on in HS will finally kiss me, and all my preparations for the zombie apocalypse will finally show their true value as the world crumbles around us as the final sign of the times.

What good is a privacy feature when it rests on the compliance of those who have conflicted interests in the matter? I'm scratching my head a bit as to why Mozilla went down this road at all. I know everyone is pushing for the Web-2.0-cloud-service-based-thin-client-web-app-with-local-storage and video embeded in buttons, but there has to be some kind of gatekeeper. If our gatekeepers (the browser makers/W3C) are merely going to add a "please be nice" button, what chances are there that the web will continue to be a medium of information excahnge, and not turn into a see of potentially dangerous apps? I know that's a bit chicken little sounding but this was one advantage the plugin model afforded. Don't want Flash/Java? Easily blocked. Don't want HTML privacy invasion? Ask the advertisers nicely to comply? Something seems seriously broken with this philosophy. It's arleady diffucult to browse a lot of sites sans-javascript, and it seems only to be getting worse. Personally, I've always thought one of the advantages of the web, one of the things that caused it to grow so rapidly, is that sites were sanboxed away from the user via the limitations of the browser.

Except it doesn't even seem to work for me - see my post above for the apregistry. What good is a method that's so buggy you can't rely on it? What fallacy is that, that they promote a feature yet for ____ % of the population it "just happens" not to work?

I don't get your post. It's not a client thing. The browser simply says to the remote server, "this person does not want to be tracked". It's not buggy or broken. It's up to the remote server to honor it. That's all. Now.. the "idea" may be buggy or broken. Sure. But that's a different thing.

I'm scratching my head a bit as to why Mozilla went down this road at all.

Well it seems like a bit of a publicity ploy for Mozilla to me, albeit, a good one. Mozilla has had issues with FF in recent versions (I'm looking at you FF3 bloat), but it still remains the poster child browser for a private/independent/free browser. I think the devs at Mozilla know full well that the Do Not Track flag requires the unlikely compliance from other entities. However, by making the feature easy to use and by publicizing it, it has brought the problem of, "Random data mining companies are harvesting everything about you," right into the main view of every user that configures their own Option settings in FF.

Furthermore, if users start checking the option because it sounds like a good idea, but there is still a big fuss about companies tracking users anyway, the users will start to ask what the hell is going on. If Mozilla takes the time to explain that, for true non-tracking web-browsing, those data mining companies have to take it down a notch, it could very well increase public criticism of data mining in general.

So all in all, I think adding the "Do Not Track" option was much more of a political move by Mozilla than an actual technical one. It's nice to see someone with money and clout sticking up for such things for once.

What good is a privacy feature when it rests on the compliance of those who have conflicted interests in the matter?

Why not make it so if you have DNT set and a site ignores it, a big notice pops up saying "This site does not honor your Do Not Track setting. If you proceed, information about your behavior while visiting this site will be tracked and collected, and may be used in a manner you find objectionable. Are you sure you wish to continue?" No, Always Allow, Allow this one time.

What good is a privacy feature when it rests on the compliance of those who have conflicted interests in the matter?

I think this may be setting technical foundation for a legal privacy framework with teeth. If there is a de-facto, widely implemented industry standard (even more so if they get it through say W3C) to say "I don't want you to gather my private information", and a company ignores it, can they be held liable? Maybe not today, but a law could be made to that effect tomorrow.

OK, I admit that I use facebook a little, just to stay in touch with far away family and friends. I login, see what my friends/family's been doing, post how many times I farted today and that's about it. But when I go to bigfatsluts.com and see the 'like' button under the videos, I cringe. I would like an option to deny facebook 'like' and suchlike (hah!) when I'm not on facebook itself. How ?

The particular problem that the OP suggests would be solved by privacy mode. I'm assuming his problem is that he's logged on to Facebook and when he visits sites with a "Like" button, Facebook "helpfully" posts it for him (actually I don't think you even need to be logged into Facebook, it can track you anyway if you have a Facebook cookie). If you turn on privacy mode you won't be logged onto Facebook (unless you then, stupidly, go ahead and log on to Facebook), so those like buttons won't connect you back

What's worse about this, is that it is implemented by an iframe. The "like" button is actually at facebook. bigfatsluts.com doesn't know anything about your facebook info, but, because you are logged in, and the facebook content knows what page it is being loaded into (the iframe source looks likes this: facebook.com/plugins/like.php?http://bigfatsluts.com/thehairiest.movie), facebook knows that you have visited the page.

The more sites that implement this, the more facebook is able to track your web brows

This is a nice thing for everyone to be doing, but it's still a trust relationship with no transparency. Bad actors won't respect my wishes. That's the definition of a bad actor.

The solution has to be on client side. Otherwise it's just more trust, which is what we've been using all along. I'd much rather trust the Ghostery extension to just block the tracker scripts to begin with.

So either you own the proxy (in which case they still have your IP address, or at least an IP address that belongs to you) or you trust the person who runs the proxy because they do have your real IP address.

To start with, they should rather strip all the unnecessary, incredibly detailed version information [eff.org] off the default user-agent string. Relying on the "goodwill" of ad companies is just absurd.

Oh and, as soon as this Do-Not-Track header becomes a default setting it will be ignored anyway...

With Cookie Monster [mozilla.org] it's not too painful. Set it to apply to the entire domain and not deal with subdomains, and have it block by default. Any time they need to login, just click the icon and permanently allow. Any time some crappy website that requires cookies denies them, then temporarily-allow.

I'm not saying most people will do this, but a fair amount can do this if they care. I doubt there is anything we can say to show them they should care, however.